Exetools - Get real address of api not nt version

Page 2 of 2

Show 40 post(s) from this thread on one page

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Get real address of api not nt version (https://forum.exetools.com/showthread.php?t=18791)

ioannis

05-22-2018 04:40

win32u.dll exists in Win10 (dont know about Win 8)

Quote:

user32.dll+30B00
NtUserShowWindow:
00007FFEFF490B00 FF 25 72 46 05 00 jmp qword ptr [__imp_NtUserShowWindow (07FFEFF4E5178h)]

Address 07FFEFF4E5178h holds the address to the real function NtUserShowWindow in win32u.dll

Quote:

0x00007FFEFF4E5178 50 1b 27 fe fe 7f 00 00 P.'ώώ...

In such case it all depends at which point you expect to find a hook, here there are 3 places where a hook might be applied.
1. at address 00007FFEFF490B00 in user32.dll
2. at address 00007FFEFF4E5178 in user32.dll
3. at address 00007FFEFE271B50 in win32u.dll

dosprog

05-22-2018 08:49

Quote:

Originally Posted by Mahmoudnia (Post 113406)

Please check the attachment.

Sorry, please upload it somewhere else.

Mahmoudnia

05-22-2018 21:08

Quote:

win32u.dll exists in Win10 (dont know about Win 8)

Thank you, I have to check again

Quote:

Originally Posted by dosprog (Post 113414)

Sorry, please upload it somewhere else.

http://www.mediafire.com/file/h55ajo90cor6o78/Check.rar

ioannis

05-23-2018 00:44

@Mahmoudnia

By the way, one thing that may confuse you, is that, you are seing user32.NtUserShowWindow instead of user32.ShowWindow in the debugger because you have loaded the debugging symbols of the module user32.dll.

The exported function name is obviously ShowWindow but the internal name of the function included in the debugg symbols is NtUserShowWindow which is what you see.

Remove the debug symbols for user32.dll cached on your pc and then try Ctrl+G again.

All times are GMT +8. The time now is 11:52.

Page 2 of 2

Show 40 post(s) from this thread on one page